FHIR Chat · SMART Demo Apps - Bearer Token · smart

Stream: smart

Topic: SMART Demo Apps - Bearer Token

view this post on Zulip James Agnew (Dec 07 2016 at 22:18):

So I've been monkeying around getting the SMART demo apps (Growth chart and BP Centiles) working against an OIC server and a FHIR server.

I've got the whole thing working well, with one exception: The apps do not send any Authorization header to the FHIR server when they make a request. They complete the OAuth2 code flow successfully and definitely receive a token, and they are definitely making approrpiate FHIR data requests, but with no auth header in them.

Are they able to send this header? Is there any config required to get them to do so?

view this post on Zulip Josh Mandel (Dec 07 2016 at 22:22):

The expectation is certainly that I can and should send and authorization header containing a OAuth Bearer token:-)

view this post on Zulip Josh Mandel (Dec 07 2016 at 22:23):

Does your fhir server have CORS set to allow an authorization header?

view this post on Zulip James Agnew (Dec 08 2016 at 03:13):

It does.. But as far as I can see the app isn't actually requesting it in it's Access-Control-Request-Headers header.

Request

Accept:*/*
Access-Control-Request-Headers:content-type
Access-Control-Request-Method:GET
Connection:keep-alive
Host:cdr.simpatico.ai:8000
Origin:https://fhir-dstu2.smarthealthit.org
Referer:https://fhir-dstu2.smarthealthit.org/apps/growth-chart/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Response

Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:content-type
Access-Control-Allow-Methods:GET,POST,PUT,DELETE,HEAD,OPTIONS
Access-Control-Allow-Origin:https://fhir-dstu2.smarthealthit.org
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:0
Date:Thu, 08 Dec 2016 03:10:20 GMT
Expires:0
Vary:Origin

view this post on Zulip Josh Mandel (Dec 08 2016 at 03:16):

Oh how strange. And it's successfully completing the OAuth process without any errors in the console?

view this post on Zulip Josh Mandel (Dec 08 2016 at 03:17):

I wonder whether @Nikolai Schwertner has seen this behavior before (I can't say that I have).

view this post on Zulip Josh Mandel (Dec 08 2016 at 03:18):

Is it issuing an OPTIONS request first?

view this post on Zulip James Agnew (Dec 08 2016 at 03:44):

It is, yeah. Basically the same headers there too..

view this post on Zulip Josh Mandel (Dec 08 2016 at 04:12):

What exact headers does the OPTIONS request contain?

view this post on Zulip James Agnew (Dec 08 2016 at 11:36):

OPTIONS https://cdr.simpatico.ai:8000/Patient/118

Request headers:

Host: cdr.simpatico.ai:8000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: content-type
origin: https://fhir-dstu2.smarthealthit.org
Connection: keep-alive

Response headers:

Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: content-type
Access-Control-Allow-Methods: GET,POST,PUT,DELETE,HEAD,OPTIONS
Access-Control-Allow-Origin: https://fhir-dstu2.smarthealthit.org
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Thu, 08 Dec 2016 03:40:03 GMT
Expires: 0
Pragma: no-cache
Server: Jetty(9.3.10.v20160621)
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
strict-transport-security: max-age=31536000 ; includeSubDomains
x-xss-protection: 1; mode=block

view this post on Zulip Josh Mandel (Dec 08 2016 at 12:11):

Fascinating. You should see:

request

Access-Control-Request-Headers: authorization, content-type

response

Access-Control-Allow-Headers: authorization, content-type

view this post on Zulip Josh Mandel (Dec 08 2016 at 12:21):

I'm wondering if you could share more details about how you're launching the app, and which params you're passing?

Following that, it might help to see the whole transcript (e.g. in Chrome Dev tools, via "Save HAR with Content")

view this post on Zulip James Agnew (Dec 08 2016 at 18:41):

The Launch URL I've been using for testing is:
https://fhir-dstu2.smarthealthit.org/apps/growth-chart/launch.html?iss=https://cdr.simpatico.ai:8000&launch=wd9833&patientId=118

Username/password "zulip" if you happen to want to try it. I'll grab a capture though.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -